Does US Govt. have the Right to Our Data on Foreign Servers?

Here's an interesting and timely article in Ars Technica posted by David Kravets about the battle between Microsoft and the US government over customers' emails and whether or not the US government has the right to surveil emails that are housed in Microsoft's Irish datacenters.

The Justice Departmenton Friday petitioned the US Supreme Court to step into an international legal thicket, one that asks whether US search warrants extend to data stored on foreign servers. The US government says it has the legal right, with a valid court warrant, to reach into the world's servers with the assistance of the tech sector, no matter where the data is stored.

The request for Supreme Court intervention concerns a 4-year-old legal battle between Microsoft and the US government over data stored on Dublin, Ireland servers. The US government has a valid warrant for the e-mail as part of a drug investigation. Microsoft balked at the warrant, and convinced a federal appeals court that US law does not apply to foreign data.

The governmenton Fridaytold the justices that US law allows it to get overseas data, and national security was at risk.

"This Court should grant review to restore the government’s ability to require providers to disclose electronic communications—which are, in this day and age, often the only or the most critical evidence of terrorism and crime," the government wrote. (PDF)

The outcome has huge privacy ramifications for consumers and for the tech sector, which is caught between a rock and a hard place. The sector is being asked by the US government to comply with court orders that sometimes conflict with the laws of where the data is stored.

To remedy that, Congress is trying to hash out legislation that would allow the US government to enter into reciprocity agreements with other countries so that each side has the right to access data on foreign servers—with a valid warrant.

1 comment

The fundamental issue in this case is whether the ECPA gives the federal government authority to conduct extraterritorial search and seizure, given that it is established constitutional law that US search warrants are only valid in US territory. To get around this difficulty, federal prosecutors and the District Court ruling relied on two extraordinarily creative, but deeply flawed, legal arguments.
1. Location doesn't matter in cyberspace: the emails are really stored in Seattle at Microsoft HQ.
According to the government,"electronic property" is just a block of ones and zeroes stored somewhere on "somebody else's computer" and accessible over the Internet. In other words, in cyberspace, geographical location doesn't mean anything. The District Court ruling even concluded that the search and seizure of electronic property can be considered - for the purposes of the law - as happening at the headquarters of the Service Provider, in this case in Seattle.
As a matter of fact, however, the emails in question (those blocks of ones and zeroes) are really stored in a server or on a disk drive in Dublin, even if they can be copied to Seattle. All of this ill-informed and fuzzy thinking - contradicted by numerous judicial precedents and thoroughly debunked by 35 eminent computer scientists in an amicus curiae brief filed with the court - doesn't change that physical reality.
2. A search warrant under the ECPA is not really a search warrant but a hybrid subpoena.
This is a crucial - if highly technical - legal point in the government's case. Warrants give law enforcement the right to enter and search premises while a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information. The government claimed that the document issued as a search warrant was, in fact, a hybrid subpoena. When the Court asked if the ECPA warrant was a subpoena dressed up as a warrant that also has the powers of a subpoena, the government attorneys said it was indeed.
The problem with this argument is that it is totally inconsistent with the statute Congress actually wrote. In fact, the ECPA provides for both warrants and subpoenas, but does so separately and treats them very differently. A simple subpoena is enough to order the production in court of the business records of a Service Provider but Congress required a warrant (a very different legal instrument in the Anglo-American legal tradition) for the search and seizure of private communications held in trust.
One might also add that the Eighth Circuit Court of Appeals in an earlier case rejected the argument that subpoena rules should apply to warrants issued under the ECPA, noting that while warrants for electronic data are often served like subpoenas (via fax), Congress called them warrants and we find that Congress intended them to be treated as warrants.